In this lesson, I'll discuss denial service attacks. So by the end of the lesson, you should be able to explain how denial service attacks work. Differentiate the different kinds of denial of service attacks and summarize the defenses to denial of service attacks. Let's start out with the definition of a denial of service attack. There are many definitions out there but they are pretty much the same. So a denial of service attack is an attack, on the availability of a service by blocking or overwhelming communication or resources to that service. NIST defines a denial of service attack as an action that prevents or impairs the authorized use of network systems or applications by exhausting system or- excuse me- by exhausting resources such as central processing units, memory, bandwidth and disk space. Let's talk about what are resources in general. Resources are network bandwidth. In most cases large denial of service attacks attack the availability of systems. So if we're talking cloud security for example, denial of service attacks are actually looking at where the most bandwidth is going to block access to that service. Like Netflix for example or PlayStation or Xbox we see this in gaming quite a bit where somebody gets mad and they launch a denial of service attack on somebody. System resources, this could be CPU or memory; these are system resources, application resources could include Web servers, or DNS servers. We could attack specifically a Web server by overwhelming a certain component of that Web server. Like queries for example or even a DNS server queries. Let's talk about common types of DoS attacks. A ping attack is the first one we will look at. What are pings? Pings are what we basically little type of packet that gets sent out from the server to see if another system is alive. For example, if you want to see if you have network connectivity, you can go to your command prompt in your computer and ping google.com. Usually you'll get some kind of response that says, "I've connected to this IP address and here's how many seconds or milliseconds it took to talk to that server." A ping attack is when multiple pings were talking hundreds of thousands, millions a second overwhelm either the server or overwhelm the connection. So they're either overwhelming the CPU in memory of the system or they're going to overwhelm the network connection or possibly both. How do we prevent this? Well we can disable ping replies or responses, in either software on the server or through firewall rules. A lot of the new firewalls out there can rate/limit that as well. Other notes on this is that it is an older style type of attack. So ping attacks, usually there's plenty of network bandwidth, there's plenty of system resources. So ping attacks aren't really carried out much anymore unless they are services that have, well they're smaller services, for example. Another common type of DoS attack is the SYN attack. So what is a SYN attack? Well, SYN is the three way handshake that we have between any TCP connection. TCP connections are a connection based protocol. So I have my server, that says, "Hey, I'm going to-." Or a client rather that says, "Hey, I'm going to send you some information," sends it over to the server. The server says, "Hey, I got that information and I'm going to send a communication back to the client saying, 'yes I received your information.' And then the client, then is going to send back communications saying that, 'yes I received your acknowledgement.'" Well, the break down the SYN is actually where we're in the second part of that. So the client communicates with the server and the server says, "Hey, I'm acknowledging your connection." Well, then what happens is the client never responds back. So, we keep on sending, the client keeps on sending information and overwhelms the system resources of the host because they keep on asking, and this guy isn't answering, or the client isn't answering back. Okay. How do we prevent this? Well, we have to modify session timeout rules or we do rate limiting as well. This is a very effective attack because most operating systems can handle it. Common DoS attacks. Another one is flooding. Flooding, we're going to send various requests, any kind of requests between the client and the server or from the attacker to the servers. Depending on what type of software the other side is using, it can determine how successful the flood is, or the DoS attack. Application memory handling and other firewall rules may prevent this kind of attack from happening. Lastly, we have reflection or recursion attacks. We see this in various kinds of software such as DNS or NTP. DNS stands for Domain Name System or service, and NTP stands for Network Time Protocol. Both of these services rely on the server saying or giving information back to who's ever asking for it. But we can either do a reflective attack, which means that, "Hey, we're going to ask somebody else, what is going on," or we have a recursive attack, where we keep on while almost doing the same thing as reflection. We're asking that service over and over and over again. Give me resources for somebody else. So for example DNS attack. The university actually suffered this kind of attack which was a recursive DNS attack back in 2010. We actually lost Internet for two days because of this attack. We accidentally turned on recursion and didn't have a good plan to stop it. And it took out the Internet on our DNS servers for several days. And I'm not sure why the attacker wanted to go after us but they had to sustain a very long connection. Actually we were able to mitigate it but the attacker was doing this kind of attack for over three weeks straight. We mitigated it within a day and a half really two days. But recursion allowed external providers to ask our servers over and over and over again about some other kind of query. Defenses. There's no real good defenses for a denial of service attack, unless we can have some way of mitigating it. Typically we're going to ask our upstream service provider, to help us out with a denial of service attack or to block specific packets. Because, typically our Internet service provider, can handle that type of traffic because they have many different clients using their network. Developing a good plan on how to deal with a denial of service attack is what's going to help you during the attack. Make sure that you contact your upstream service provider in case this happens. Maybe this can help. Backups. Backups are another way of limiting the damage caused by a denial of service attack. Perhaps that you have other resources available or a secondary Internet service provider that you can route information around. This helps stop some denial of service attacks. But denial of service attacks are very affective.
