Catagory:Denial of Service
From SecurityForest
In computer security, a denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers where the attack is aiming to cause the hosted web pages to be unavailable on the Internet. It is a computer crime that violates the Internet proper use policy as indicated by the Internet Architecture Board (IAB).
DoS attacks have two general forms:
Force the victim computer(s) to reset or consume its resources such that it can no longer provide its intended service. Obstruct the communication media between the intended users and the victim in such that they can no longer communicate adequately. Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack. Illegitimate use of resources may also result in denial of service. For example, an intruder may use one's anonymous FTP area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic.
- Smurf - http://www.phreak.org/archives/exploits/denial/smurf.c
:Smurf DoS attack, the ping's packet return IP address is forged with the IP of the targeted machine. The ping is issued to the entire IP broadcast address. This causes every machine to respond to the bogus ping packets and reply to the targeted machine, which floods it.This is called a Smurf attack because the DoS tool used to perform the attack is called Smurf.
- Fraggle - http://www.phreak.org/archives/exploits/denial/fraggle.c :The Fraggle DoS attack is essentially based on the same concept as the Smurf attack (namely that generating huge amounts of network traffic will disable a machine or cause it to lose connectivity to the Internet), but uses UDP instead of ICMP. Although it is not as serious as some other attacks of this type, it will still generate a huge amount of network traffic. Here is how it works: a hacker is armed with a list of broadcast addresses, to which he/she sends spoofed UDP packets. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the chargen port (a port that generates a number of characters when queried). Sometimes a hacker is able to set up a loop between the echo and chargen ports, generating all that much more network traffic (this attack generally works on NT boxes).The result of this attack is, as stated earlier, a massive amount of traffic on the network. Whole networks may crawl to a stop and individual systems may lose connectivity to the Internet and/or, in some cases, crash.
- SYNK4 - http://www.niksula.hut.fi/~dforsber/synflood/programs/synk4.c :First, a client system initiates a connection by sending a SYN message (a message that begins the client-server "handshake") to the server. The server acknowledges the SYN message by sending a SYN-ACKNOWLEDGE, or SYN-ACK, message to the client attempting to connect. The client then finishes establishing the connection by responding with an ACKNOWLEDGE, or ACK, message of its own. The connection between the client and the server is then open, and data can be exchanged between the client and server. Syn Flooding, and other SYN flooding attacks, work by creating scores of half-open connections. A half-open connection occurs when the server sends a SYN-ACK message, but never receives an ACK message from the client. This is achieved when the attacking system sends SYN messages to a target server with a return address other than its own (known as IP-spoofing). The server then sends a SYN-ACK message to the machine specified in the SYN message, which is, of course, not the IP address of the attacking machine. Thus, the server never receives the final ACK (as the system receiving the SYN-ACK message cannot respond to it) and the connection is never fully completed. These uncompleted connections are called "pending connections," and are written to a buffer of limited size. Eventually, as the attacking machine creates an ever increasing number of pending connections, the buffer described above will eventually fill up and overflow. The number of pending connections that a system can handle simultaneously varies, depending on the operating system.
- Land - http://www.phreak.org/archives/exploits/denial/land.c :Sending a packet to a machine with the source host/port the same as the destination host/port crashes a lot of boxes
- LaTierra - http://www.phreak.org/archives/exploits/denial/smurf.c :/* La Tierra basically works by sending NT Sp3 the same packet used in land.c but to any port. Sounds simple? Theres more to it. Cycle through a range of ports - and see what happends. It doesn't appear to matter if the port is opened or closed :-) Since NT won't let this happen again on the same port, you simply change ports, and you can easily go back to the origianal port and it'll work again.
- TearDrop - http://ftp4.de.freesbie.org/pub/misc/www.rootshell.com/hacking/teardrop.c :Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data. (Also check out newtear, bonk, syndrop on google, they are very similar)
Additional Resources
These are just the basic types of DOS attacks, Attrition (http://attrition.org/security/denial/) offers a much larger and more specific selection of DOS attacks. Phrack archives (http://phreak.org/archives/) offers even more basic types. And of course google is your friend as well, most exploits end with .c so when trying to find exploits jsut type in the exploit with a .c at the end (e.g teardrop.c, land.c)
