Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Misconceptions about DOS & DDOS

  1. #1
    Senior Member
    Join Date
    Jul 2002

    Misconceptions about DOS & DDOS

    There seems to be a misconception that a Dos or DDos can be blocked with a firewall, and its just bugged me to no end. So I hope this will clear things up a bit.

    Tiger Shark
    There are two type of DoS. There's the kind that confuse, crash or overwhelm the target with packets that are malformed or conatin data/instructions designed to do that and the kind where you "fill the pipe" with so much traffic that nothing valuable can occur until the "flood" has stopped.

    The first can be stopped by patches or systems that recognize the attempt and intercept the traffic or by sgutting down the affected service thus allowing other services to continue. The second type you are helpless to prevent. You need, at a minimum your ISP to drop the packets if he can. If not, grab a beer and hope they give up before you have to drive home....

    The second is a flood type DoS that fills the pipe in which you are still up the river without the proverbial paddle because the traffic in your pipe is blocking valid requests anyway so the firewall dropping the invalid ones is of no help.

    dropped or not[packets] they're still traffic on the pipe. you get enough of them and your going to be deprived of service. not as easiely as hogging the server's resources but a DoS just the same

    The action you need to take depends on the type of DoS attack

    If it's a web application / web server DoS attack, it needs fully formed TCP connections to be effective - therefore it cannot use spoofed IPs, so you should record the IPs and block them at your firewall. Also you can use some web sevrer plugin modules like mod_security or its IIS equivalents to identify DoS attempts and block them, also some lame bandwidth DoS attempts.

    If it's a synflood, just turn syn cookies on on your web servers or redirectors, job done.

    If it's a bandwidth DoS, that is the hardest problem, it will be using spoofed source IPs set randomly, so you can't block the IPs at an upstream firewall. The DoSers will be using a TCP packet type which is part of legitimate traffic, so you can't block it upstream by flags or port numbers either.

    Of course a local firewall has absolutely no effect on a bandwidth DoS, because the bandwidth is exhausted before it even gets there.

    Your best bet is to work with your upstream providers, and get them to work with their peers to identify the routes used by the DoS traffic, and attempt to narrow it down to a given area, and if it's a truly distributed attack, there may be little they can do.

    One option is to get your upstream provider to install some kind of QoS to somehow limit this traffic, to give established legitimate connections higher priority, or to set up a stateful firewall upstream, but again, this is dependent on how much resources your upstream provider have to throw at the problem.

    a firewall is supposed to be able to take care of a DoS attack
    No, it isn't.

    Credit given to original author. Some words were changed or added in my decision on what to put here. More may be added later as I find it. Or feel free to add your own.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  2. #2

  3. #3
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Miami, FL
    Darksnake very nice. BTW I thought if you performed a DoS attack on a firewall it would make it completely useless? Computernerd22

  4. #4
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Originally posted here by Computernerd22
    Darksnake very nice. BTW I thought if you performed a DoS attack on a firewall it would make it completely useless? Computernerd22
    So did I. I read somewhere that the firewall will recognize a DoS attack and pick out the offending IP and block/ignore all traffic from that source. True that it puts a strain on the firewall....but while the firewall is working overtime, I thought everything else was supposed to function normally. (Just b/c I read it somewhere doesn't mean it's true...) So how is this not true? I read the "mini-tutorial" but I still didn't quite find the answer to that.

  5. #5
    @ŢΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    St. Petersburg, FL
    A firewall will stop a DoS attack from affecting your machine so to speak, but it (the DoS) will deny others from using any service provided by your machine. Syncookies are nice and all, but if all the bandwith is being used by the DoS... You're SOL.
    Real security doesn't come with an installer.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    I always thought that if a firewall could detect that multiple if not an enormous amount of SYN packet's (or any for that matter, or better yet an unusual amount) that it would be able to deny that IP from attacking? For instance, if I was being DoSed and I saw on my IP continued TCP SYN packet probe's/attack's from a certain IP, then I would drop the connection and block the IP (let alone report it to the ISP, but that's another story).

    I have to agree though that a firewall typically isn't supposed to take care of a DoS attack although when you think about a firewall and you know it's main goal is to moniter/maintain incoming and outgoing traffic, you think about a DoS attack and the traffic sent/recieved.

    (the DoS) will deny others from using any service provided by your machine.
    Yeah, this is also what I thought to be true as well. Thus the name "Denial of Service" those that use the particular service (be it a webserver, etc) wouldn't be able to. Anyways, very good information DarkSnake.
    Space For Rent.. =]

  7. #7
    Senior Member
    Join Date
    Apr 2004
    If the attack pattern is to crash a specific type of service or subvert it, a firewall can prevent a DoS attack.
    Put if DoS attack objective is "fill the pipe", nothing can be done at client side. Just ISP can help on that case.
    BTW, DoS attacks "fill the pipe" arent common, because is hard to get a "zombie" big enough to have a huge BW to attack someone. Nowadays, the common attack is reflect DDoS or a bot DDos.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Best resource i have seen on dos/ddos http://staff.washington.edu/dittrich/misc/ddos/ If ya got a better link please post it
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  9. #9
    A typical firewall wont take care of a Dos attack But there are certain hardware firewalls that will but the are expensive and are not very effective. As for software firewalls i dont know.

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Ok, I admit it, I was generalising.

    A DoS attack, by its nature, consists of traffic attacking a legitimate service that is intended for the public or authorised users. Therefore you can't simply block traffic to that service, as that would DoS yourself.

    SOME DoS attacks (the easy to prevent kind) work by sending malformed stuff, or trying to overload stuff at the application level. These can be prevented or mitigated by a sufficiently clever firewall (for instance that does content filtering). Also, as these attacks require valid TCP connections (or some kind of bidirectional traffic), the attacker cannot spoof their IP. Even in the case of fairly large scale DDoS, if the attackers are not spoofing, you can filter them all, or create some sufficiently clever scripts to dynamically create rules without affecting most legit users.

    HOWEVER the trouble starts when they use spoofing. Either they flood your app with useless spoofed requests, for example in the case of a UDP-based server, it uses its own resources trying to respond to these spoofed messages, and ultimately runs out. OR they send traffic where each packet looks legit to a non-stateful firewall, but is actually total rubbish spoofed.

    You can't filter this junk out upstream, because it simply isn't easy enough for an upstream to know whether it's real or fake. It doesn't have any identifying characteristics, they typically randomise:

    - Packet lengths
    - TCP flags and attributes (within believeable values)
    - data
    - source address

    And of course the destination address is some legitimate service, for example a real web server.

    So the upstream provider *cannot* filter it by any means, and attempt to achieve a reasonable hit-rate unless they install stateful inspection, which for an upstream provider, could prove very expensive.

    I *am* speaking from experience.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts