Understanding DoS
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Understanding DoS

  1. #1
    Senior Member
    Join Date
    May 2003
    Posts
    472

    Understanding DoS

    **************DISCLAIMER**************

    Friends before someone else posts any comment on this article, i would like to say a few things.

    First of all, this article, by no means is a full and complete coverage. It is just a part. I would like to cover DDoS, and DRDoS attacks in different articles. So they are almost left out of these.

    But infact one of the most comprehansive document on DoS on the internet. Thats what i believe.

    Secondly, a lot of help has been taken from the net n books by known and anonymous sources. Its almost impossible to name all these. But i dont want to sound lame by claiming it solely my own original creation. But i do acknowledge their work.

    ********************************************************

    DoS And DDoS Attacks

    Introduction

    In this tutorial we are going to have a quick look at DoS and DDoS attacks, how they are performed and why they attract so much attention ! We won't be getting into much detail as we are just trying to give everyone a better understanding of the problem.

    Denial of Service attacks

    Denial of Service (DoS) attacks can be a serious federal crime with penalties that include years of imprisonment and many countries have laws that attempt to protect against this.


    Description

    A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include attempts to "flood" a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service attempts to prevent a particular individual from accessing a service attempts to disrupt service to a specific system or person Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack.

    Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic

    Impact

    Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization.

    Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an "asymmetric attack." For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.

    Types of DoS attacks:

    1) Operating System attacks: Which target bugs in specific operating systems and can be fixed with patches.

    2) Networking attacks: Which exploit inherent limitations of networking and may require firewall protection.

    Operating System Attacks

    These attacks exploit bugs in a specific operating system (OS), which is the basic software that your computer runs, such as Windows 98 or MacOS. In general, when these problems are identified, the vendor, such as Microsoft, will release an update or bug fix for for them.

    So, as a first step, always make sure you have the very latest version of your operating system, including all bug fixes. All Windows users should regularly visit Microsoft's Windows Update Site (and I mean at least once a week!) which automatically checks to see if you need any updates.

    Networking Attacks

    These attacks exploit inherent limitations of networking to disconnect you from your ISP, but don't usually cause your computer to crash. Sometimes it doesn't even matter what kind of operating system you use and you cannot patch or fix the problem directly. The attacks on Yahoo and Amazon by "mafiaboy" were large scale networking attacks and demonstrated that nobody is safe against a very determined attacker.

    Network attacks include ICMP flood (ping flood) and smurf which are outright floods of data to overwhelm the capacity of your connection, spoofed unreach/redirect also known as "click" which tricks your computer into thinking there is a network failure and voluntarily breaking the connection (this is used to disconnect MIRC users), and a whole new generation of distributed denial of service attacks (we speak about them later on).

    Just because you were disconnected with some unusual error message doesn't mean you were attacked. Almost all disconnects are due to natural network failures. On the other hand, you should feel suspicious if you are frequently disconnected.

    In a networking DoS attack, a host somewhere on the Internet sends a stream of packets to the target server, but uses a false return address within the packet. When the server attempts to acknowledge the opening of a connection with the sender, the sender's bogus address cannot subsequently be contacted. Because the nature of the Internet means that packets are often lost or delayed, the TCP/IP protocol has measures built into it that will repeatedly continue trying to contact the sender, until it finally times out. While this retry process is going on, the sender continues to send even more packets with yet more invalid source addresses, all of which go onto retry until finally the machine cannot respond to any more requests. The next step the machine takes is to either shut down the interface, or start to refuse any more connections, including those that are from legitimate sources. The use of fake IP return addresses not only is the cause of the failure, it serves to effectively disguise the identity of the person launching the attack.

    Historically, a networking DoS attack aimed at a server could be effectively mounted from a single Internet node. Now however, the vast capacity for throughput, coupled with advances in server clustering and load balancing, mean that originating the attack from one destination is no longer sufficient, and hackers must be a little more creative in their attempts to shut down servers.

    So how do you get more than one machine to launch a DoS attack against a target? The method used by hackers involves planting lots of small DoS attack programs on various Internet nodes, which can then be triggered from another Internet location. When the hacker wants to initiate an attack, he or she simply sends a trigger command to all of the DoS programs around the Internet, and they start the attack in concert.

    The result is a very comprehensive and almost impossible to trace DoS attack. This type of attack, known as a Distributed Denial of Service (DDoS) attack first appeared in 1998, and is gaining popularity fast!In this scenario, a side issue of the main DoS attack is that machines "infected" with the DoS attack programs have usually been hacked themselves, unbeknown to the owners and administrators of the system.

    MODES OF ATTACK

    Denial-of-service attacks come in a variety of forms and aim at a variety of services.

    There are three basic types of attack:

    -Consumption of scarce, limited, or non-renewable resources.
    -Destruction or alteration of configuration information.
    -Physical destruction or alteration of network components

    Consumption of Scarce Resources

    Computers and networks need certain things to operate: network bandwidth, memory and disk space, CPU time, data structures, access to other computers and networks, and certain environmental resources such as power, cool air, or even water.

    Network Connectivity

    Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the "SYN flood".

    In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.

    You should note that this type of attack does not depend on the attacker being able to consume your network bandwidth. In this case, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.)

    Using Your Own Resources Against You

    An intruder can also use your own resources against you in unexpected ways.

    In this attack, the intruder uses forged UDP packets to connect the echo service on one machine to the chargen service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected.

    Bandwidth Consumption

    An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.

    Consumption of Other Resources

    In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system.

    An intruder may also attempt to consume disk space in other ways, including generating excessive numbers of mail messages. intentionally generating errors that must be logged

    placing files in anonymous ftp areas or network shares.

    In general, anything that allows data to be written to disk can be used to execute a denial-of-service attack if there are no bounds on the amount of data that can be written.

    Also, many sites have schemes in place to "lockout" an account after a certain number of failed login attempts. A typical set up locks out an account after 3 or 5 failed login attempts. An intruder may be able to use this scheme to prevent legitimate users from logging in. In some cases, even the privileged accounts, such as root or administrator, may be subject to this type of attack. Be sure you have a method to gain access to the systems under emergency circumstances. Consult your operating system vendor or your operating systems manual for details on lockout facilities and emergency entry procedures.

    An intruder may be able to cause your systems to crash or become unstable by sending unexpected data over the network.

    If your systems are experiencing frequent crashes with no apparent cause, it could be the result of this type of attack.

    There are other things that may be vulnerable to denial of service that you may wish to monitor. These include

    printers
    tape devices
    network connections

    other limited resources important to the operation of your organization


    Distributed Denial-of-Service

    A distributed denial-of-service (DDoS) attack is similair to the DoS attack described above, but involves a multitude of compromised systems which attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

    A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The result of these packets which are sent to the target causes a denial of service.

    While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder.

    Categorizing DoS Attacks

    SYN-ACK attacks or TCP-SYN flooding

    A SYN-ACK attack exploits the TCP/IP mechanism by using a three-way handshake in order to establish a communications link. By only initiating the handshakes and not responding to the server's acknowledgements, SYN-ACK attacks force the server to store huge numbers of acknowledgement packets in its backlog queue, with the objective of over flowing the queue and disabling the server's ability to issue any more acknowledgements. One variation of SYN-ACK attacks actually spoofs the IP address of the victim's system so that the system is taken out of service by talking to itself.

    Teardrop attacks

    Teardrop attacks exploit IP mechanisms involved in the reassembly of packets that have been disassembled for efficient transmission. In normal practice, each packet fragment looks like the original IP packet with the exception of an offset field that specifies which bytes of the original packet are included (i.e. bytes 400 through 600), thereby enabling the receiving system to reassemble all of the data in the proper sequence. By purposely creating packet fragments with overlapping offset fields, these types of attacks make it impossible for the victim's system to correctly reassemble the packet fragments, which can sometimes cause the destination system to hang, crash or reboot.

    Smurf attacks

    Smurf attacks take advantage of direct broadcast addressing mechanisms by spoofing the target system's IP address and broadcasting Internet Control Message Protocol (ICMP)ping requests across multiple subnets. This attack clogs the victim's network with bogus ICMP echo requests and responses, thereby making it unavailable to legitimate traffic. All intermediary systems that are co-opted or drawn into the echo-response cycle become victims of this attack, both suffering from and contributing to overall network congestion.

    Oversized packet attacks

    Sometimes referred to as "ping of death" attacks, oversized packet attacks exploit a known bug in some TCP/IP implementations by using the ping utility to send packets that exceed the maximum 65, 536 bytes of data allowed by the IP specification. When it first emerged, this type of attack caused crashes, hangs or reboots in victim's systems. However, most operating system vendors have now addressed this issue with software updates that enable smooth disposition of oversized packets.

    UDP Flood Attacks

    This DoS attack takes advantage of User Datagram Protocol (UDP)mechanisms by creating bogus UDP connections between unsuspecting systems. When a connection is established between two UDP services, each of which produces output, the combined effects can produce a very high number of packets and result in denial of services to legitimate users. In UDP flood attacks, the intruders use forged UDP packets to connect the echo service on one machine to the chargen service on the other machine, causing the two machines to consume all available bandwidth on the connection between them.

    GET DoS Attacks

    This is relatively new attack and is specifically aimed at webservers. This attack was chosen by hacker after they found almost all the posrt of the web servers closed except for port 80. Now to attack the webservers they started sending specially crafted requests to webserevrs from spoofed Ips.

    A website GET Dos/DDoS is executed by flooding one or more of the site's web servers with so many HTTP GET (which is the ususal mean to request a webpage) requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. GET DDoS attacks typically take advantage of several computers which simultaneously launch hundreds of thousands of requests at the target website. In order not to be traced, the perpetrators will break into unsecured computers on the internet, hide rogue DDoS programs on them, and then use them as unwitting accomplices to anonymously launch the attack.

    DETAILS OF SOME COMMON ATTACKS

    TCP SYN Flooding and IP Spoofing Attacks

    Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is potentially subject to this attack. Note that in addition to attacks launched at specific hosts, these attacks could also be launched against your routers or other network server systems if these hosts enable (or turn on) other TCP services (e.g., echo). The consequences of the attack may vary depending on the system; however, the attack itself is fundamental to the TCP protocol used by all systems.

    I. Description

    When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections--telnet, Web, email, etc.

    The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:


    Client Server

    ------ --------

    SYN-------------------->


    <--------------------SYN-ACK


    ACK-------------------->

    Client and server can now send service-specific data

    The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.

    Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.

    The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.

    In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections.

    However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.

    The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.

    II. Impact

    Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. The service itself is not harmed by the attack; usually only the ability to provide the service is impaired. In some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.

    III. Detecting an Attack

    Users of the attacked server system may notice nothing unusual since the IP-spoofed connection requests may not load the system noticeably. The system is still able to establish outgoing connections. The problem will most likely be noticed by client systems attempting to access one of the services on the victim system.

    To verify that this attack is occurring, check the state of the server system's network traffic. For example, on SunOS this may be done by the command:

    netstat -a -f inet

    Note that use of the above command depends on the OS version, for example for a *nix system use

    netstat -s |grep "listenqueue overflows"

    Too many connections in the state "SYN_RECEIVED" could indicate that the system is being attacked.

    Solution

    There is, as yet, no generally accepted solution to this problem with the current IP protocol technology. However, proper router configuration can reduce the likelihood that your site will be the source of one of these attacks.

    With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can take steps to reduce the number of IP-spoofed packets entering and exiting your network.

    Currently, the best method is to install a filtering firewall that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.

    The combination of these two filters would prevent outside attackers from sending you packets pretending to be from your internal network. It would also prevent packets originating within your network from pretending to be from outside your network. These filters will *not* stop all TCP SYN attacks, since outside attackers can spoof packets from *any* outside network, and internal attackers can still send attacks spoofing internal addresses.

    On the input to your external interface, that is coming from the Internet to your network, you should block packets with the following addresses:

    Broadcast Networks: The addresses to block here are network 0 (the all zeros broadcast address) and network 255.255.255.255 (the all ones broadcast network).

    Your local network(s): These are your network addresses

    Reserved private network numbers: The following networks are defined as reserved private networks, and no traffic should ever be received from or transmitted to these networks through a router:

    10.0.0.0 - 10.255.255.255 10/8 (reserved)
    127.0.0.0 - 127.255.255.255 127/8 (loopback)
    172.16.0.0 - 172.31.255.255 172.16/12 (reserved)
    192.168.0.0 - 192.168.255.255 192.168/16 (reserved)

    UDP Port Denial-of-Service Attack

    I. Description

    When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed.

    For example, by connecting a host's `chargen` service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosts are so connected, the intervening network may also become congested and deny service to all hosts whose traffic traverses that network.

    II. Impact

    Anyone with network connectivity can cause a denial of service. This attack does not enable them to gain additional access.

    III. Solution

    1. Disable and filter chargen and echo services.

    This attack is most readily exploited using the chargen or echo services, neither of which is generally needed as far as we are aware. We recommend that you disable both services on the host and filter them at the firewall or Internet gateway.

    2. Disable and filter other unused UDP services.
    To protect against similar attacks against other services, we recommend:
    - disabling all unused UDP services on hosts and
    blocking at firewalls all UDP ports less than 900 with the exception of specific services you require, such as DNS (port 53).

    Denial-of-Service Attack via ping aka Ping of Death

    Description

    The TCP/IP specification (the basis for many protocols used on the Internet) allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and 0 or more octets of optional information, with the rest of the packet being data. It is known that some systems will react in an unpredictable fashion when receiving oversized IP packets. Reports indicate a range of reactions including crashing, freezing, and rebooting.

    In particular, the Internet Control Message Protocol (ICMP) packets issued via the "ping" command have been used to trigger this behavior. ICMP is a subset of the TCP/IP suite of protocols that transmits error and control messages between systems. Two specific instances of the ICMP are the ICMP ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. These two instances can be used by a local host to determine whether a remote system is reachable via the network; this is commonly achieved using the "ping" command.

    Attack arises from the use of the "ping" command to construct oversized ICMP datagrams (which are encapsulated within an IP packet). Many ping implementations by default send ICMP datagrams consisting only of the 8 octets of ICMP header information but allow the user to specify a larger packet size if desired

    Although these days ping doesnot allow oversized packet creation, but it is not impossible to create and send oversized ICMP packets.

    Preventing DoS Attacks

    Preventing DDoS attacks is not easy; filtering what are effectively legitimate access requests is simply doing the attacker?s job for him. Your upstream ISP may be able to block entire IP ranges to prevent attacks from specific subnets (in a case where many attacking clients are from the same network). Alternatively, you may be able to rehost the service on a different machine; changing the IP address of your host can often sidestep the attack. Assuming your DNS and routing is kept carefully synchronised, a minimum of interruption can be achieved.

    Prevention is the best cure, though. To avoid DDoS attacks, make sure your network is not participating in them. Perform virus scans for DDoS agents regularly, check for machines with ports servicing DDoS port number, and make sure that your firewall blocks packets with spoofed source addresses from originating inside your network. If you can be fairly sure you are not participating in DDoS attacks by keeping your own network clean, and everyone else does the same, the number of DDoS incidents would drop substantially.

    Unfortunately, not many network admins bother to configure outgoing filters on their firewalls, or even run anti-virus applications. However, every administrator who tightens up his own environment and is guilty of allowing DDoS attacks to originate from within his network is one step closer to a safer Internet.

    To beat SYN flooding attacks, one needs to solve the problem of the finite-size queue, or figures out a smart way to filter the spoofed source address.

    A solution called "SYN cookies" , aimed at overcoming the problem of the finite-size queue. Rather than using the queue to maintain information of pending connection request, the server stores the information in a cookie and sends the cookie to the client. The server creates the outgoing sequence number as a one-way hash (like MD5) of the concatenation of the incoming information (source address, source port number, source sequence number, destination address, destination port number), a secret key, and a counter that changes every minute. When the ACK comes back, the server computes the same hash using the last few counters, and matches the acknowledged sequence number with the results of hash. If it matches one of the results, then set up the TCB (trusted computing base) if it does not already exist. Otherwise, the packet will be thrown away.

    As for the second approach, is a filtering method that can prohibit an attacker within the originating network from launching a SYN flooding attack using spoofed source addresses that do not conform to ingress filtering rules. The rules say that transit traffic which originates from a downstream network must be restricted to known and assigned prefix(es). If a packet originating from the downstream network has a source address not within the assigned prefix(es), then the packet will be denied. For example, in Figure 1 the attacker resides within prefix 10.0.0.0/8, which is provided Internet connectivity by ISP A. An input traffic filter on the ingress link of router 1 will allow only traffic originating from source addresses within the 10.0.0.0/8 prefix, and prohibits the attacker from using illegitimate address outside 10.0.0.0/8 range. The denied packets then can serve as a basis for monitoring suspicious activity.

    Observations

    -87% of zombie attacks use illegal packet formats or randomize fields, indicating root access on zombies

    -TCP protocol was most commonly used

    -ICMP next favorite protocol

    Proposed framework in action (Attack Detection)

    Capture packet headers. Flag packet as potential attack if:

    -Number of sources that connect to the same destination within one second exceeds 60.

    -The traffic rate exceeds 40Kpackets/s

    Access Control Policies Enforced By Firewall To Avoid DoS

    -Limit the number of connections (e.g., cap the total number of Pings to a server farm)
    -Limit the number of connections-per-second (a dramatic increase in the rate of new connection signals a DoS attack)
    -Discard TCP/UDP packets when an excessive number of connections to an identical IP address has been detected
    -Isolate attackers by IP/MAC address/range or DNS name a
    -Block traffic coming from outside with set of valid internal source addresses (e.g., address spoofing)
    -Block any packet generated from an outside address that belongs to an illegitimate range of source addresses (e.g., illegal outside traffic)
    -Filter applications or protocols by specific signature recognition (e.g., HTTP authentication)
    -Filter by content, including HTTP URL or filenames that may include worms
    -Block attempts to Telnet (FTP or any other application) into the internal network
    -Control the use of (or block) P2P applications that can distribute worms
    -Limit bandwidth or access to resources (links, servers etc.)
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  2. #2
    Junior Member
    Join Date
    Oct 2003
    Posts
    20
    Good tutorial

    Access Control Policies Enforced By Firewall To Avoid DoS

    -Limit the number of connections (e.g., cap the total number of Pings to a server farm)
    -Limit the number of connections-per-second (a dramatic increase in the rate of new connection signals a DoS attack)
    -Discard TCP/UDP packets when an excessive number of connections to an identical IP address has been detected
    -Isolate attackers by IP/MAC address/range or DNS name a
    -Block traffic coming from outside with set of valid internal source addresses (e.g., address spoofing)
    -Block any packet generated from an outside address that belongs to an illegitimate range of source addresses (e.g., illegal outside traffic)
    -Filter applications or protocols by specific signature recognition (e.g., HTTP authentication)
    -Filter by content, including HTTP URL or filenames that may include worms
    -Block attempts to Telnet (FTP or any other application) into the internal network
    -Control the use of (or block) P2P applications that can distribute worms
    -Limit bandwidth or access to resources (links, servers etc.)

    Good advice

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I think this should go in newletter #11.

    Great work.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Junior Member
    Join Date
    Nov 2003
    Posts
    6

    Thumbs up

    Really liked the tutorial you wrote and hope for more work from you.This is the kind of useful information that tutorials writers should do more often.

  5. #5
    I know you had your disclaimer on the top but...
    You copied and pasted so much in this paper that I will point out some sources.
    http://www.mampu.gov.my/Publications...G/2001/dsa.htm
    http://www.google.nl/search?q=cache:...hl=nl&ie=UTF-8
    http://networking.earthweb.com/netse...cle.php/623851
    http://www.google.nl/search?q=cache:...hl=nl&ie=UTF-8
    http://www.firewall.cx/dosattacks.php
    http://www.itp.net/features/980333182529002.htm
    I am not saying you copied and pasted exactly from these sites (there may be more sources) but since you took the time to copy and paste from the sites you could have taken the time the include CnP ing the URLS.
    Newbies get negged for stuff like this

    Cheers
    noODle

  6. #6
    Senior Member
    Join Date
    Jun 2003
    Posts
    220
    good one... learnt a lot from this one!!
    keep it up!!
    Now is the moment, or NEVER!!!

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    472
    right no0dle....

    but i had almost every stuff on my HDD...sone .txt,some .html, some .pdf stuff....
    i prepared it in one night. I had give presentation on it and was intimated just the night before. But i thought this will be a very good reading for everyone. Thats the reason this is here.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  8. #8
    Its a good article, no doubt.
    It took me less then five minutes to dig those links up tho.

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Originally posted here by Striek
    I think this should go in newletter #11.
    This won't appear in the newsletter. I prefer to take stuff that hasn't been published on the site yet (although some authors will circumvent the publication sometimes).

    As for this post, it's good and clear as to the understanding of DoS (notably DRDoS is missing.. ) but given that some of the material isn't original I'm not sure if it should stay. NullDevice, at the least, perhaps give proper reference to the original sources since they were found for you?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  10. #10
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    Quick link about drdos: http://www.grc.com/dos/drdos.htm
    Double Dutch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •