Protect your network from a DoS attack

By Drew Bird | Aug 18, 2000 | Print this Page

Earlier this year, a number of prominent Internet sites were bought to a standstill by highly organized denial of service (DoS) attacks. You may remember the names of the victims--they were well known companies like eBay Inc. and Yahoo Inc. You might expect that companies such as these, whose business is the Internet, would have the means and resources to prevent these attacks. But the fact is, although they use the best hardware, software, and people available, no system that provides resources to the Internet can ever be completely secure.

Many of the articles, columns, and analysis pieces written on the attacks focused on the business issues rather than the technical aspects of the incidents. That's all well and good, but as a network administrator, you need to understand exactly what the risks are, and how you can go about protecting yourself. In this article, I'll tell you some ways you can help safeguard your company.

Know your enemy: Two types of DoS attacks

DoS attacks differ from traditional hacking attempts because they do not actually yield any information or provide access to a company's systems, making the motive for the attacks somewhat unclear. Unless the hacker has something to gain by putting the service offline for a few hours, a DoS service attack is little more than a means of being disruptive.

There are various types of DoS attack, but they typically fall into one of two categories:

  • Operating system attacks--Defined as attacks directed against a certain facet of the computer's operating system. The objective of these attacks is to cause the system to freeze or completely restart. As operating system attacks are very explicit in nature, applying software updates or patches that are released by software manufacturers or independent developers can easily prevent them.

  • Networking attacks--The more common type of DoS attack, which attempts to take advantage of built-in aspects of the networking functions of a system. Though various methods are used in these attacks, the most common type is that which directs so much data at the network interfaces of a system, that it closes down completely, or resets the network interface being targeted. It was a variation of this type of attack that caused the attacks earlier this year.

How does a networking DoS attack work?

Blocking illegitimate traffic at the ISP

It has been suggested that ISPs could block any traffic exiting their network that did not have a legitimate IP address attached to it. Though this would be likely to significantly reduce the number of DoS attacks, the ISPs are not as enthusiastic as you might expect about the idea. Not only would they have to foot the bill for the new technology, they also realize that it would most likely be a short-term cure.

Another consideration is that a great number of the recent DDoS attacks have been mounted using systems at universities and other educational institutions. Many of these systems do not use ISPs to connect to the Internet, and have reasonably lax security on their systems.

In a networking DoS attack, a host somewhere on the Internet sends a stream of packets to the target server, but uses a false return address within the packet. When the server attempts to acknowledge the opening of a connection with the sender, the sender's bogus address cannot subsequently be contacted. Because the nature of the Internet means that packets are often lost or delayed, the TCP/IP protocol has measures built into it that will repeatedly continue trying to contact the sender, until it finally times out. While this retry process is going on, the sender continues to send even more packets with yet more invalid source addresses, all of which go onto retry until finally the machine cannot respond to any more requests. The next step the machine takes is to either shut down the interface, or start to refuse any more connections, including those that are from legitimate sources. The use of fake IP return addresses not only is the cause of the failure, it serves to effectively disguise the identity of the person launching the attack.

Historically, a networking DoS attack aimed at a server could be effectively mounted from a single Internet node. Now however, the vast capacity for throughput, coupled with advances in server clustering and load balancing, mean that originating the attack from one destination is no longer sufficient, and hackers must be a little more creative in their attempts to shut down servers.

So how do you get more than one machine to launch a DoS attack against a target? The method used by hackers involves planting lots of small DoS attack programs on various Internet nodes, which can then be triggered from another Internet location. When the hacker wants to initiate an attack, he or she simply sends a trigger command to all of the DoS programs around the Internet, and they start the attack in concert.

The result is a very comprehensive and almost impossible to trace DoS attack. This type of attack, known as a Distributed Denial of Service (DDoS) attack first appeared in 1998, and is gaining popularity fast!In this scenario, a side issue of the main DoS attack is that machines "infected" with the DoS attack programs have usually been hacked themselves, unbeknown to the owners and administrators of the system.

Are you at risk?

Whether you are at risk from DoS attacks will depend on your Internet connection configuration and what services you are making available to outside sources. Even with an advanced firewall system, you may still be susceptible to attack. The short answer is that the more services you make available to the outside, the more susceptible you are to the various types of DoS attacks.

If you are concerned about whether your systems may be hosting distributed DoS relay programs, help is at hand. Many of the major anti-virus checking software programs will now detect and report if any of the currently known DDoS tools are installed on your systems. In addition, a number of free utilities available on the Internet will check your system for the rogue programs. Remember though, that these programs only have the ability to detect known DDoS tools. The nature of hacking will always mean that anti-virus programmers are constantly playing catch-up.

How do you protect yourself?

Cross Links

  • Computer Emergency Response Team (CERT):
  • International Computer Security Association (ICSA):
  • National Infrastructure Protection Center (NIPC):
  • If your Internet connection is used only for Internet browsing and the sending and receiving of Internet e-mail, then protecting yourself from most DoS attacks should not be that difficult, provided you are using a good quality (which does not necessarily mean expensive) firewall solution. Nearly all commercially available firewall products provide some level of protection against a DoS attack, though you will not find any that claim to prevent them completely.

    If you need to provide networked services to outside users, then a number of other strategies can reduce the risk of your becoming the victim of a DoS attack, though they are unlikely to prevent a targeted attack:

    • On almost all major platforms, you can configure networking parameters such as the amount of available connections and the time span after which the machine will stop trying to reconnect to remote nodes. Increasing the amount of available connections and decreasing the retry time will also help to reduce the impact of many simple DoS attacks.

    • Another increasingly popular strategy is to employ spoofing filters, which monitor incoming traffic in an attempt to identify packets that may be part of a DoS attack

    • If you have a firewall, configure it to allow out only packets that originated from an IP address range inside your network. Doing so will prevent a machine from your Internal network from being used as a redirected host by a hacker in a DDoS attack.

    Prevention and cure

    One of the by-products of these high profile attacks in the U.S. has been the involvement of law enforcement agencies such as the FBI. Although those launching DoS attacks have the luxury of hiding behind fake IP addresses, the authorities are quickly learning and adapting to the methods that hackers use. Many within these agencies believe that it will only be a matter of time before a DoS hacker is caught and prosecuted.

    There is also talk of legal action being taken against the ISPs, institutions, or companies from which the attacks are launched or relayed. Though it must still be proved that the attack originated from the ISP or organization, this is somewhat easier to do than pinpoint the exact address that was being used to originate the attack, or who was using the address at that time. Because you may unwittingly be the host of the attacks, you could find yourself in a lawsuit that names you as a part of the problem--another reason to examine your protection measures.

    As always, prevention is better than cure. If only it were that simple. In many respects, DoS does not differ from the many other Internet-spawned hacks, in that as fast as the attacks occur, new strategies and products become available to counter any new variations. One significant factor that could serve to diminish the proliferation of DoS attacks will be the implementation of the next version of TCP/IP: IPV6. The new version promises to offer a greater level of protection against threats such as DoS attacks.

    In the meantime, system administrators can do little but use existing measures and good practices to ensure that they become neither a victim nor an accomplice. //

    Drew Bird (MCT, MCNI) is a freelance instructor and technical writer. He has been working in the IT industry for 12 years and currently lives in Kelowna, Canada. You can e-mail Drew at