{"id":519,"date":"2012-03-02T19:55:57","date_gmt":"2012-03-02T19:55:57","guid":{"rendered":"http:\/\/microsoftgeek.com\/?p=519"},"modified":"2018-09-06T23:29:24","modified_gmt":"2018-09-06T23:29:24","slug":"how-to-prevent-denial-of-service-attacks","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=519","title":{"rendered":"How to Prevent Denial of Service Attacks"},"content":{"rendered":"<p>The denial of service attack is  statistically the most used malicious attack out of them all. This stems  from the ease of use of the attack, as well as the alarming lethality.  Literally anyone can bring down a website with a simple command prompt.  The question is- how do you protect against an attack that can cripple  your network or website in a matter of minutes?<\/p>\n<h3>Types of Denial of Service Attacks<\/h3>\n<p>If you are going to protect against an attack, you  first have to know how it works. You must familiarize yourself with the  different variations, methods, and plans of attacks that hackers use.  Surprisingly, there are at least seven different classifications of  denial of service attacks known today.<\/p>\n<h3>Ping Flood<\/h3>\n<p>The most basic of attacks is the ping flood attack. It relies on the  ICMP echo command, more popularly known as ping . In legitimate  situations the ping command is used by network administrators to test  connectivity between two computers. In the ping flood attack, it is used  to flood large amounts of data packets to the victim\u2019s computer in an  attempt to overload it. You can see an example of the ping flood attack  below.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/learn-networking.com\/wp-content\/uploads\/2008\/01\/ping-flood1.jpg\" alt=\"ping flood\" \/><\/p>\n<p>Notice how we used two commands in particular: <strong>-n<\/strong> and <strong>\u2013l<\/strong>.<\/p>\n<h4>Two Exploitable Commands Using Ping<\/h4>\n<ul>\n<hr \/>\n<li> <strong>1.<\/strong> The <strong>\u2013n<\/strong> command tells the prompt to send the request a specified amount of times. The default is four packets, but we sent five.<\/li>\n<li><strong>2.<\/strong> The <strong>\u2013l<\/strong> command tells the prompt how much data to send for each packet. The maximum is 65,500 bytes, while the default is just 32.<\/li>\n<hr \/>\n<\/ul>\n<p>This type of attack is generally useless on larger networks or  websites. This is because only one computer is being used to flood the  victim\u2019s resources. If we were to use a group of computers, then the  attack would become a distributed denial of service attack, or DDoS.<\/p>\n<p>The most common cure to the ping flood attack is to simply ban the IP  address from accessing your network. A distributed denial of service  attack is a bit more complex, but we will take a look at them later on.<\/p>\n<h3>Ping of Death<\/h3>\n<p>The ping of death attack, or PoD, can cripple a network based on a  flaw in the TCP\/IP system. The maximum size for a packet is 65,535  bytes. If one were to send a packet larger than that, the receiving  computer would ultimately crash from confusion.<\/p>\n<p>Sending a ping of this size is against the rules of the TCP\/IP  protocol, but hackers can bypass this by cleverly sending the packets in  fragments. When the fragments are assembled on the receiving computer,  the overall packet size is too great. This will cause a buffer overlflow  and crash the device.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.learn-networking.com\/wp-content\/oldimages\/ping-of-death.jpg\" alt=\"ping of death\" \/><\/p>\n<p>Luckily, most devices created after 1998 are immune to this kind of  attack. If you are running a network with outdated devices this will  indeed be a possible threat to your network. In this case, upgrade your  devices if possible.<\/p>\n<h3>Smurf \/ Smurfing<\/h3>\n<p>When conducting a smurf attack, attackers will use spoof their IP  address to be the same as the victim\u2019s IP address. This will cause great  confusion on the victim\u2019s network, and a massive flood of traffic will  be sent to the victim\u2019s networking device, if done correctly.<\/p>\n<p>Most firewalls protect against smurf attacks, but if you do notice  one, there are several things you can do. If you have access to the  router your network or website is on, simply tell it to not forward  packets to broadcast addresses. In a Cisco router, simply use the  command: no ip directed-broadcast.<\/p>\n<p>This won\u2019t necessarily nullify the smurf attack, but it will greatly  reduce the impact and also prevent your network or website from  attacking others by passing on the attack. Optionally, you could upgrade  your router to newer Cisco routers, which automatically filter out the  spoofed IP addresses that smurf attacks rely on.<\/p>\n<h3>Fraggle<\/h3>\n<p>A Fraggle attack is exactly the same as a smurf attack, except that  it uses the user datagram protocol, or UDP, rather than the more common  transmission control protocol, or TCP. Fraggle attacks, like smurf  attacks, are starting to become outdated and are commonly stopped by  most firewalls or routers.<\/p>\n<p>If indeed you think you are being plagued by a fraggle attack, simply  block the echo port, located at port 7. You may also wish to block port  19, which is another commonly used fraggle exploitable port. This  attack is generally less powerful than the smurf attack, since the TCP  protocol is much more widely used than the UDP protocol.<\/p>\n<h3>SYN Flood<\/h3>\n<p>The SYN flood attack takes advantage of the TCP three-way handshake.  This method operates two separate ways. Both methods attempt to start a  three-way handshake, but not complete it. You can view the proper  three-way handshake below.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.learn-networking.com\/wp-content\/oldimages\/syn-flood.jpg\" alt=\"syn flood\" \/><\/p>\n<p>The first attack method can be achieved when the attacker sends a  synchronize request, or SYN, with a spoofed IP address. When the server  tries to send back a SYN-ACK request, or synchronize-acknowledge  request, it will obviously not get a response. This means that the  server never obtains the client\u2019s ACK request, and resources are left  half-open.<\/p>\n<p>Alternatively, the attacker can just choose to not send the  acknowledgement request. Both of these methods stall the server, who is  patiently waiting for the ACK request. Thankfully, this hole in the  three-way handshake has been patched for years, just like the ping of  death attack. Should you suspect that your older devices are the subject  of this attack, upgrade them immediately.<\/p>\n<h3>Teardrop<\/h3>\n<p>In the teardrop attack, packet fragments are sent in a jumbled and  confused order. When the receiving device attempts to reassemble them,  it obviously won\u2019t know how to handle the request. Older versions of  operating systems will simply just crash when this occurs.<\/p>\n<p>Operating systems such as Windows NT, Windows 95, and even Linux  versions prior to version 2.1.63 are vulnerable to the teardrop attack.  As stated earlier, upgrading your network hardware and software is the  best way to stay secure from these types of attacks.<\/p>\n<h3>Distributed Denial of Service<\/h3>\n<p>This is by far the most deadly of all denial of service attacks,  since an easy fix is hard to come by. Instead of just installing the  latest hardware and software, network administrators will usually need  extra help with these types of attacks.<\/p>\n<p>A distributed denial of service attack, or DDoS, is much like the  ping flood method, only multiple computers are being used. In this  instance, the computers that are being used may or may not be aware of  the fact that they are attacking a website or network. Trojans and  viruses commonly give the hacker control of a computer, and thus, the  ability to use them for attack. In this case the victim computers are  called zombies.<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.learn-networking.com\/wp-content\/oldimages\/distributed-denial-of-service.jpg\" alt=\"DDoS attack\" \/><\/p>\n<p>A DDoS attack is very tough to overcome. The first thing to do is to  contact your hosting provider or internet service provider, depending on  what is under attack. They will usually be able to filter out the bulk  of the traffic based on where it\u2019s coming from. For more large-scale  attacks, you\u2019ll have to become more creative.<\/p>\n<p>If you have access to your router, and are running a Cisco brand,  enter the following command into your router command prompt: No ip  verify unicast reverse-path.<\/p>\n<p>This will ensure that attackers can\u2019t spoof their IP address. This  will still be a problem for zombie computers however, since those IP  addresses aren\u2019t spoofed at all. In this case, you can do one of several  things.<\/p>\n<h4>Options in DDoS Prevention<\/h4>\n<ul>\n<hr \/>\n<li> <strong>1.<\/strong> Hire a security company to assess and repair the damage<\/li>\n<li><strong>2.<\/strong> Buy an intrusion detection system (IDS)<\/li>\n<hr \/>\n<\/ul>\n<p>As a last resort, the traffic can be routed to a sink hole, which  will route all traffic elsewhere until a solution can be obtained. This  will route good traffic and bad traffic- so this is usually not a good  choice.<\/p>\n<h3>Closing Comments<\/h3>\n<p>As you can tell, the majority of denial of service attacks can be  prevented through simply upgrading to the latest hardware and software.  In the case of distributed denial of service attacks, we have less  simplistic options to work with.<\/p>\n<p>Even giants such as Microsoft have fallen victim to the DDoS attack.  Generally, it\u2019s a good idea to not make many enemies- and keep a sharp  watch on your network at all times. And in the event that you do track  an attacker down, keep two things in mind. First, it may be a spoofed IP  address, and thus, a false lead. Second, never attack back. Simply  contact the authorities and wait for the justice system to do its work.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The denial of service attack is statistically the most used malicious attack out of them all. This stems from the ease of use of the attack, as well as the alarming lethality. Literally anyone can bring down a website with a simple command prompt. The question is- how do you protect against an attack that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-519","post","type-post","status-publish","format-standard","hentry","category-sec-secops"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=519"}],"version-history":[{"count":3,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/519\/revisions"}],"predecessor-version":[{"id":1202,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/519\/revisions\/1202"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}