A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.
A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP Echo Request (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies. Most implementations of ping require the user to be privileged in order to specify the flood option. It is most successful if the attacker has more bandwidth than the victim (for instance an attacker with a DSL line and the victim on a dial-up modem). The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus consuming both outgoing bandwidth as well as incoming bandwidth. If the target system is slow enough, it is possible to consume enough of its CPU cycles for a user to notice a significant slowdown.
UDP Flood Attack
A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.
Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
Check for the application listening at that port;
See that no application listens at that port;
Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent.
The software UDP Unicorn can be used for performing UDP flooding attacks.
This attack can be managed by deploying firewalls at key points in a network to filter out unwanted network traffic. The potential victim never receives and never responds to the malicious UDP packets because the firewall stops them
The Smurf Attack is a denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, flooding the victim’s computer with traffic. This can slow down the victim’s computer to the point where it becomes impossible to work on.
The name Smurf comes from the file “smurf.c”, the source code of the attack program, which was released in 1997 by TFreak.
A fraggle attack is a variation of a Smurf attack where an attacker sends a large amount of UDP traffic to ports 7 (echo) and 19 (chargen) to an IP Broadcast Address, with the intended victim’s spoofed source IP address. It works very similar to the Smurf attack in that many computers on the network will respond to this traffic by sending traffic back to the spoofed source IP of the victim, flooding it with traffic.
“Fraggle.c”, the source code of the attack, was also released by TFreak.
Categories of DOS Attack
- Volume-based DoS attacks — Also called a “volumetric” attack, volume-based DoS attacks represent the most common type of threats. The hacker floods the website or network with a high volume of packets or connections, which overwhelms the network equipment, servers or bandwidth resources. In the past, criminals would recruit volunteers to launch these attacks. Today, the most common technique uses “botnet,” the hacker commandeers a gang of “zombies” – Internet-compromised machines and sends span emails or performs other criminal acts.
- Application DoS attacks — This type of attack can target many different applications, but tend to target HTTP the most. Requiring fewer network connections to achieve its objective, application-focused DDoS attacks aim to exhaust web servers and services. Simply launching numerous HTTP POSTS or HTTP GETs could exhaust an application or web server. These attack also target application like DNS and Voice over IP (VoIP).
- Low-rate DoS (LDoS) attacks — This malicious code seeks out weaknesses and design flaws in your network.
Malicious programs like Slowloris allow the hacker to take down a web server with minimal bandwidth requirements and without the need to launch numerous attacks simultaneously. Here are some methods that have proven effective in combating DoS attacks.