What is a Denial of Service (DOS) attack?
A denial of service attack is a type of network attack in which an attacker makes the system, machine, or network unavailable to the intended users. There are various types of DOS attacks, like, for instance, a user is trying to reach a webpage but the page redirects the user to another URL or even the user can't reach its destination i.e. access is blocked.
Methods of DOS Attacks
Basic methods of DOS attacks are:
Flooding Attack
A flooding attack occurs when a system receives too much traffic which makes it difficult for the server to comprehend, as a result, the system entertains no more requests. It makes the system slow and ultimately stops. Some prevalent flooding attacks are:
- Ping Flooding is a type of flooding attack in which the attacker sends Internet Control Message Protocol (ICMP) Echo Request packets to the target server and it gets flooded. If the victim is returning ICMP Echo Relay packets then eventually the server will slow down and stop.
- SYN Flood is a type of flooding attack in which the attacker performs a three-way handshake. Multiple accepted SYN requests are sent from the attacker to the target server. Usually, the attacker receives the SYN-ACK reply from the server and the attacker then sends an ACK response and establishes the connection. But, in the case of a SYN flood, the attacker never sends the ACK response and if several of these unbuilt connections arise then the server might slow down or even stop.
- Smurf Flood is a type of flooding attack in which the ping requests are spoofed to broadcast IP Addresses. If a response is received from the target system and an ICMP echo request is broadcasted from the target then it spreads to more and more machines, resulting in the flooding of the target machine.
- UDP Flood is a type of flooding attack in which the attacker sends several UDP packets with high volume that occupies the target system and prevents the original users from getting access to the server. For this to happen the attacker has to determine an open UDP port and make sure that there is no application listening on it. Implementing the UDP flooding attack forces the server to reply with an unreachable ICMP destination packet.
Teardrop Attack
Teardrop is a type of DOS attack in which a vulnerability related to older TCP/IP implementations is exploited by the attacker. Packet fragmentation occurs when packets are too large for routers and these fragments can later be reassembled. Apparently, this reassembling bug can be exploited by the attacker in the form of sending packets with oversized payloads. These payloads are then reassembled by the target system and force the system to crash.
ARP Attack
This can also be recognized as ARP spoofing Attack. In this type of DOS attack, the attacker sends Address Resolution Protocol (ARP) messages over the network allowing the attacker to link its MAC address with the target's IP address. If done successfully the users trying to access the target move toward the attacker, leading to denial of service.
DOS Vulnerabilities
There are many DOS vulnerabilities affecting the operating system should an attacker gain access. Below a few are highlighted discussing the vulnerability and it's potential impact on the system.
Setting name: Audit: Shut down system immediately if unable to log security audits
This policy setting determines whether the system shuts down if it is unable to log Security events. I
Vulnerability:
If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown.
Potential Impact:
If you enable this policy setting, the administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts.
Setting name: Audit Policy: Object Access: SAM
This subcategory reports when SAM objects are accessed.
Vulnerability:
If audit settings are not configured, it can be difficult or impossible to determine what occurred during a security incident. However, if audit settings are configured so that events are generated for all activities the Security log will be filled with data and hard to use.
Potential Impact:
If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too severe, critically important entries in the Security log may be obscured by all of the meaningless entries and computer performance and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.
Setting name: Account lockout threshold
This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer.
Vulnerability:
Password attacks can use automated methods to try millions of password combinations for any user account. The effectiveness of such attacks can be almost eliminated if you limit the number of failed logons that can be performed.
However, a DoS attack could be performed on a domain that has an account lockout threshold configured. An attacker could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the account lockout threshold, the attacker might be able to lock out every account.
Potential Impact:
If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting will likely generate a number of additional help desk calls. In fact, locked accounts cause the greatest number of calls to the help desk in many organizations.
If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value such as 15 minutes.
If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker’s attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
Preventing DOS Attacks
There is no ultimate method to prevent being prey to DOS attacks but here are proactive steps administrators can take to reduce the effects of an attack on their network:
- Getting the DOS protection services to detect such types of attacks by pushing abnormal traffic away from your system
- A disaster recovery plan must be chosen to ensure successful recovery if an attack takes place
- Keep antivirus software configured at all times
- Configure a firewall to ensure safe traffic travels toward your system
Detecting DOS Attacks
DOS attacks can be significantly detected by using a network traffic monitoring and threat detection solution. This type of software saves time and gives you results immediately. The network statistics (netstat) command is a networking tool used for troubleshooting and configuration, that can also serve as a monitoring tool for connections over the network:
Linux
The tool that is going to be used is netstat to detect DOS attacks in Linux, to install netstat on most Linux distributions use the following command:
sudo apt-get install net-tools -y
To check the load on the server first find out the number of logical processors, use the following command to do so:
grep processor /proc/cpuinfo | wc -l
If the output value is higher than the baseline then you are at risk of being attacked. To check the load on the network, use the below-mentioned command to install the tool nload:
sudo apt-get install nload -y
To check the IP addresses connected to the server use the command:
netstat -ntu|awk ‘{print $5}’|cut -d: -f1 -s|sort|uniq -c|sort -nk1 -r
This command will tell us how many devices and their instances are connected to the server and searching for the irrelevant IP addresses will become simple.
Windows
Open the command prompt and use netstat command to see all the connections. The command will be as follows:
netstat -na
The flags that are used in this command are:
| Flag | Description |
| n | To display all active TCP connections |
| a | To display all active TCP connections, and also the TCP / UDP ports the system is listening on |
Look for IP addresses that seem like using irrelevant data or resources and block them to help prevent DOS attacks.
System Hardening without causing downtime:
If you haven't yet established an organizational system hardening routine, now is a good time to start a hardening project. A good place to start is building your policy, usually according to best practices such as the CIS Benchmarks. Your next step will be implementing your policy in your network, and finally, maintaining your infrastructure hardened at all times.
There are two approaches to System Hardening :
- Manual approach: this approach is most relevant to small-size infrastructures. If choosing this approach, you'll be needing to build a test environment that will simulate your production accurately, so you'll see the impact of this policy change. Since this task can become highly complex when dependencies become tangled, we recommend organizations with medium or larger infrastructures choose an automated approach for this task.
- Automated approach: this is relevant to organizations with over 200 machines in their infrastructure. Choosing an automated method will require you to use a 'Hardening Automation Tool' that will save you the need in performing lab testing. This tool will indicate the change's impact automatically by learning your production. Using such a tool can make the difference between a hardened and non-hardened infrastructure and is crucial for medium size organizations and above.
