What is Denial of Service (DoS) attack?
DoS attack, denial-of-service attack, is an explicit attempt to make a computer resource unavailable by
either injecting a computer virus or flooding the network with useless traffic.
There are two types of DoS attacks: computer attack and network attack. Common
forms of denial os services attacks are:
Ping of death
Ping of death is caused by an attacker deliverately sending a
normally 64 bytes, that is larger than the 65,535 bytes. Many computer systems
cannot handle an IP packet larger than the maximum IP packet size of 65,535,
and often causes computer systems crash. It is illegal to send a
of size greater than 65,535, but a packet of such size can be sent if it is
fragmented. When a receiving computer reassembles the packet, a buffer
overflow occurs, which often causes computer to crash. This exploit has
affected a wide variety of systems including Unix, Linux, Mac, Windows and
routers; but the fixes have been applied since 1997 making this exploit mostly
Ping of flood
Ping of flood is caused by an attacker overwhelming the victim's network
with ICMP Echo Request (ping) packets.
This is a fairly easy attack to perform without extensive network knowledge
as many ping utilities support this
operation. A flood of ping traffic can
consume singificant bandwidth on low to mid-speed networks bringing down a
network to a crawl.
Smurf attach exploits the target by sending repeated
ping request to broadcast address of the
target network. The ping request packet
often uses forged IP address (return
address), which is the target site that is to receive the denial of service
attack. The result will be lots of ping
replies flooding back to the innocent, spoofed host. If number of hosts
replying to the ping request
is large enough, the network will no longer be able to receive real traffic.
When establishing a session between TCP client and server, a hand-shaking
message exchange occurs betwen a server and client. A session setup packet
contains a SYN field that identifies the sequence in the message exchange.
An attacker may send a flood of connection request and do not respond to
the replies, which leaves the request packets in the buffer so that
legitimate connection request can't be accommodated.
Teardrop attack exploits by sending IP fragment packets that are difficult to
reassemble. A fragment packet identifies an offset that is used to assemble
the entire packet to be reassembled by the receiving system. In the teardrop
attack, the attacker's IP puts a confusing offset value in the sebsequent
fragments and if the receiving system doesn't know how to handle such
situation, it may cause the system to crash.
Unauthorized users send large number of email messages with large attachments
to a particular mail server, filling up disk space resulting in denied email
services to other users.
What is distributed DoS (DDoS) attack?
DDoS (Distributed Denial Of Service) is a tactic used to attack a victim
from multiple compromised computers. Attacker installs a virus or trojan
software on compromised systems, and use them to flood a victim's network
in a way that the victim's server cannot handle it.
DDoS involves 3 parties: an offender, helpers and a victim. The offender
is the one who plots the attack, and helpers are the machines that are
compromised by the offender to launch attack against a victim
(the target). The offender commands the helpers to attack the victim's
host at the precisely same time. Due to this co-ordinated nature between
the offender and helpers, the DDoS is also known as co-ordinated attack.
If you suspect a DoS or DDoS attack due to a significant network slowdown
or denied service, you may execute a few diagnostic
Linux commands to find a host under attack.
First, you'll have to identify a host under DoS or DDoS attack. To do this,
you'll have to monitor network traffic and see where the traffic is coming
from and where they are going. This can be done with ethereal or tethereal
0.809751 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol
(proto=UDP 0x11, off=2960)
0.810357 10.1.1.5 -> 192.168.1.4 IP Fragmented IP protocol
(proto=UDP 0x11, off=1480)
## If you do not have ethereal installed, you may use 'yum' to
## install it on your system.
# yum install tethereal
Once you have identified the host, logon to the server and find server load.
You may use w, uptime command to find server load. You may also use top and ps
commands to determin Linux process that consumes most resource.
To learn more about top command output,
please read an article about
high volume traffic.
15:19:51 up 127 days, 5:39, 2 users, load average: 10.78, 8.68,
top - 15:20:02 up 127 days, 5:39, 2 users, load average: 10.78,
Tasks: 170 total, 6 running, 163 sleeping, 0 stopped, 1 zombie
Cpu(s): 3.5% us, 1.7% sy, 0.1% ni, 94.3% id, 0.4% wa, 0.0% hi,
Mem: 2074924k total, 2046676k used, 28248k free, 58692k
Swap: 4192956k total, 144k used, 4192812k free, 1553828k
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
14815 apache 25 0 52776 628 500 R 98.6 0.0 9:59.91 cw7.3
DoS and DDoS attacks occur due to running vulnerable software on your
server(s). The attackers use known application vulnerability and
security holes to compromise the servers in different network either
by installing viruses and trojan horses (intrusion) or initiate DDoS
attacks. To prevent DoS and DDoS attacks, you may take following actions.
1. Install Intrusion Detection System (IDS) such as Advanced Intrusion Detection Environment (AIDE).
For installation procedure, consult Linux Gazzette. Perform regular system audits by installing
and running RKHUNTER and
CHROOTKIT to make sure installed
Linux binaries are healthy. You may also install open-source network
audit tools like NESSSUS,
SAINT and perform regular network audits for vulnerabilities.
2. Implement Sysctl. Prevent ping attacks (ping of death, ping of flood,
and smurf attacks) by disabling ping responses on the network machines.
Enable IP Spoofing protection, and
TCP SYN Cookie Protection. On Linux variant machines, follow
3. Install advanced firewall and DDoS utilities. To secure your server
and protect from DoS attacks, you may want to install
APF, BFD, DDoS and Rootkit. To install those utilities, please follow
DDoS Prevention: APF, BFD, DDoS and RootKit setup procedure.
APF: Advanced Policy Firewall
BFD: Brute Force Detection
DDoS: DDoS Deflate
Rootkit: Spy and Junkware detection and removal tool
4. Install Apache mod_evasive and mod_security modules to protect against HTTP DDoS attacks. For installation procedures, consult mod_evasive and mod_security how-tos.
For more technical information, please visit