Misconceptions about DOS & DDOS

[Tiger Shark]

Even in the case of fairly large scale DDoS, if the attackers are not spoofing, you can filter them all, or create some sufficiently clever scripts to dynamically create rules without affecting most legit users

In the case of a DDoS that's a pretty big job you just gave yourself. Filter them all day if you like.... They are still coming through if the source is picking random IP's to send from. That would be an issue wouldn't it? "If" is a big word..... They don't do that any more unless they are stupid....

Then there RDDoS that spoofs too.... How do you mitigate that?

Not meant to be "offensive" Just want to make sure we all undersatnd the potential...

[xierox]

Originally posted here by Darksnake
The second is a flood type DoS that fills the pipe in which you are still up the river without the proverbial paddle because the traffic in your pipe is blocking valid requests anyway so the firewall dropping the invalid ones is of no help.

Had no thought of that before. Thanks!

[slarty]

Originally posted here by Tiger Shark
[B]In the case of a DDoS that's a pretty big job you just gave yourself. Filter them all day if you like.... They are still coming through if the source is picking random IP's to send from.

No, if they are not spoofing, even DDoSers have only a relatively limited number of IP addresses to use. You won't in practice see more than a couple of hundred, and in any case, you can start using some automated tools to identify them.

Fully-formed TCP connections cannot (easily) be spoofed, so any attack which requires them forces the attacker to use their real IP address (or at least *A* real routable one). So you can block this IP and stop their attack getting through, even if there are hundreds, you're extremely unlikely to take out legit users.

If it's a type of DoS which does spoofing, you stand almost no chance of telling even if it *is* a distributed or localised attack, because you've no idea where the packets are coming from, they tend to randomise source addresses.

The problem is that some protocols use UDP (example: streaming services, game servers, possibly DNS) exclusively, and that generally means they can be DoS'd quite easily using spoofed packets (as the server does not require a handshake with the client before it expends resources on it). And TCP syn_cookies are only for TCP, so unless the application itself has something equivalent to syn_cookies, you're going to be stuffed.

Of course a lot of games,streaming etc, have a parallel TCP channel, and don't set the UDP channel up until they've got a valid TCP connection; this is a good approach as it makes IP spoofing to the app much harder.

Slarty

[nihil]

This is very interesting, as it is an area I have had no involvement in.

What I am curious about is that a few weeks ago several security sites were taken down by DoS attacks. All at the same time, and it lasted several days, not just a few hours? (I think spywareinfo, Tom Coyote etc.)

How was that done?.............hey, they should know all about firewalls and stuff?

It seemed to me that they had to get additional bandwidth/resource to be able to fend off the attacks.

[slarty]

I've no idea how these attacks "were done", I've only been describing symptoms I've seen.

But if someone did know, I would advise them not to announce it in a public forum to discourage copycat attacks

Slarty

[nihil]

I take your point Slarty, but I do not see it as a technical issue.

As far as I can see the attacks I referred to were professional, and must have relied on volume/weight of numbers, rather than some "hidden knowledge"? I think that the methodologies have already been discussed here, what I would be really interested in are the defence strategies.

Cheers

[cacosapo]

you can see some details about classic DoS attack
http://www.grc.com/dos/grcdos.htm
and a DRDos attack
http://www.grc.com/dos/drdos.htm
(Gibson use to be a target. He deserves )
Methods of attack are public. Attacks that just wanna to "fill the pipe" are easy to implement.
a) bot system
- attack and install trojan on several adsl-clients - they have 128kb-1mb BW
- command your bots from your pc (or other zombie machine) to flood victim computer
- use crafted packets with random source ip.
- its done. Victim must call ISP to try to block traffic at ISP side. However, if you craft very random packets, ISP will need some time to analyse packets and try to see a "pattern".
b) Broadcast ping
- some dumb companies with several IPs on internet continue to answer broadcast PING
- send a ping to a broadcast address (4+ ips)
- craft echo request packet with victim IP as source address
- its done. Everybody will send echo reply to victim, flooding his link.
- Hard to block.
And there are others. And tools ready to download and use.

[instronics]

If using iptables, there is some form of protection against Denial of Service attacks.

Using the:

-m limit
or
--match-limit

options.

Examples:

Syn-Flood-Protections: iptables -A FORWARD -p tcp --syn -m limit 1/s -j ACCEPT

If this limit is exceeded, then depending on your RULES, the apropriate action will be taken.

Certain portscanning protections:
iptables -A FORWARD -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit 1/s -j ACCEPT

and protection against 'ping-of-death':
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit 1/s -j ACCEPT

Here again, its the same thing. If the limit is exceeded, action is taken depending on your rulesets.

These examples are taken from a tutorial in which im in the process of writing. For the deeper meaning of this, wait a few days till im done with it.

Cheers.

//addon
For some info on attacks, have a look at:

http://www.antionline.com/showthread...hreadid=239990

Cheers.

[meloncholy]

Actually if you are talking types of DoS, you must consider all types....Including DNS poisoning, account deletion and something as simple as cutting power or impeding physical access to a system. Not really what you think of when you say DoS but these are still other types besides the 2 mentioned earlier.....

[instronics]

Yes, offcourse there are many other types. I just gave 2 examples here, but there are also defense mechanisms for many various other types of DoS, which cannot all be controlled by the end target. I just wanted to point out that a firewall is NOT useless against DoS. It is still a very important tool in security.

Cheers.